Use the caIPAserviceCert profile for issuing service certs.

This profile enables subject validation and ensures that the subject
that the CA issues is uniform. The client can only request a specific
CN, the rest of the subject is fixed.

This is the first step of allowing the subject to be set at
installation time.

Also fix 2 more issues related to the return results migration.

ipalib/plugins/cert.py

@@ -179,7 +179,7 @@ class cert_request(VirtualCommand):
         # going to add it
         try:
             if not principal.startswith('host/'):
-                service = api.Command['service_show'](principal, all=True, raw=True)
+                service = api.Command['service_show'](principal, all=True, raw=True)['result']
                 dn = service['dn']
             else:
                 realm = principal.find('@')
@@ -196,7 +196,7 @@ class cert_request(VirtualCommand):
             if not add:
                 raise errors.NotFound(reason="The service principal for this request doesn't exist.")
             try:
-                service = api.Command['service_add'](principal, **{})
+                service = api.Command['service_add'](principal, **{})['result']
                 dn = service['dn']
             except errors.ACIError:
                 raise errors.ACIError(info='You need to be a member of the serviceadmin role to add services')

ipaserver/plugins/dogtag.py

@@ -1511,7 +1511,7 @@ class ra(rabase.rabase):
         http_status, http_reason_phrase, http_headers, http_body = \
             self._sslget('/ca/ee/ca/profileSubmit',
                          self.env.ca_ee_port,
-                         profileId='caRAserverCert',
+                         profileId='caIPAserviceCert',
                          cert_request_type=request_type,
                          cert_request=csr,
                          xml='true')